Age | Commit message (Collapse) | Author | |
---|---|---|---|
2021-07-26 | Squash more CSP-filtering bugs | jahoti | |
On Firefox, original CSP headers are now smuggled (signed) in an x-orig-csp header to prevent re-processing issues with caching. Additionally, a default header is added for non-whitelisted domains in case there are no existing headers we can attach to. | |||
2021-07-26 | Fix some bugs in the refined CSP handling | jahoti | |
2021-07-26 | [UNTESTED- will test] Use more nuanced CSP filtering | jahoti | |
CSP headers are now parsed and processed, rather than treated as simple units. This allows us to ensure policies delivered as HTTP headers do not interfere with our script filtering, as well as to preserve useful protections while removing the ones that could be problematic. Additionally, prefetching should now be blocked on pages where native scripts aren't allowed, and all reporting of CSP violations has been stripped (is this appropriate?). | |||
2021-07-26 | Remove unnecessary imports of url_item and add a CSP header-parsing function | jahoti | |
The parsing function isn't used yet; however, it will eventually be as a less destructive alternative to handling headers as indivisible units. | |||
2021-07-20 | Merge rebranding to "Hachette" | Wojtek Kosior | |
2021-07-20 | fix options_main.js bugs | Wojtek Kosior | |
2021-07-20 | fix page info server bugs | Wojtek Kosior | |
2021-07-20 | Merge commit 'ecb787046271de708b94da70240713e725299d86' | Wojtek Kosior | |
2021-07-19 | Change the icon | jahoti | |
2021-07-19 | Refer to the extension consistently as "Hachette" and remove TODOS.org | jahoti | |
from the copyright file | |||
2021-07-18 | Streamline and harden unique values/settings | jahoti | |
The base URL is now included in the settings. The unique value no longer uses it directly, as it is included by virtue of the settings; however, the number of full hours since the epoch (UTC) is now incorporated. | |||
2021-07-17 | Revamp signatures and break header caching on FF | jahoti | |
Signatures, instead of consisting of the secure salt followed by the unique value generated from the URL, are now the unique value generated from the policy value (which will follow them) succeeded by the URL. CSP headers are now _always_ cleared on FF, regardless of whether the page is whitelisted or not. This means whitelisting takes effect on page reload, rather than only when caching occurs. However, it obviously presents security issues; refinment will occur in a future commit. | |||
2021-07-16 | Use URL-based policy smuggling | jahoti | |
Increase the power of URL-based smuggling by making it (effectively) compulsory in all cases and adapting a <salt><unique value><JSON-encoded settings> structure. While the details still need to be worked out, the potential for future expansion is there. | |||
2021-07-12 | merge jahoti into master | Wojtek Kosior | |
2021-07-12 | Stop using the nonce consistently for a URL | jahoti | |
Nonces are now randomly generated, either in the page (for non-HTTP(S) pages) or by a background module which stores them by tab and frame IDs. In order to support the increased variance in nonce-generating methods and allow them to be loaded from the background, handle_page_actions is now invoked separately according to (non-)blocking mechanism. | |||
2021-07-11 | Remove redundant nonce-based filtering in the script suppressor | jahoti | |
2021-07-11 | Integrate browser.js into exports_init.js, and streamline the result | jahoti | |
2021-07-06 | Merge popup display | Wojtek Kosior | |
2021-07-06 | show some settings of the current page in the popup | Wojtek Kosior | |
2021-07-04 | Revamp default settings | jahoti | |
Default settings are now provided in the same format as data exported from the extension, incorporating them into the main program as part of the build process. Also, modify their contents; the apparently non-functional FSF stuff is gone, replaced with fixes for BandCamp, WorldCat, and SumOfUs. | |||
2021-07-02 | enable opening settings page with certain item immediately in edit mode | Wojtek Kosior | |
2021-07-02 | move parsing of url with targets to misc.js | Wojtek Kosior | |
2021-07-02 | ignore some special files (emacs automatic backups) when building | Wojtek Kosior | |
2021-07-01 | Employ issue tracker | Wojtek Kosior | |
2021-06-30 | fix whitelisting under Firefox | Wojtek Kosior | |
2021-06-30 | remove trailing whitespace | Wojtek Kosior | |
2021-06-30 | refactor 3 miscellaneous fnctionalities to a their single own file | Wojtek Kosior | |
2021-06-30 | emply an sh-based build system; make some changes to blocking | Wojtek Kosior | |
2021-06-28 | Index two new files intended for the previous commit. | jahoti | |
2021-06-28 | License script-blocking techniques from NoScript in machine-readable format. | jahoti | |
In-page blocking now works on Firefox, and JavaScript/data- URLs are properly blocked to ensure no JavaScript leaks in through backdoors. Blocking of HTML/XML data: urls should be refined (eventually) to align with current practice for pages in general. Also, script-blocking is now filtered by nonce, making it possible (albeit perhaps not desirable) to inject scripts before the DOM is complete. | |||
2021-06-26 | remove mnetion of LGPL from javascript exception to the GPL | Wojtek Kosior | |
2021-06-25 | make it clear "A" license contains text from BSD license with its own copyright | Wojtek Kosior | |
2021-06-25 | gather all copyright info in 'copyright' file | Wojtek Kosior | |
2021-06-23 | Fix storage initialization on Icecat 60 | jahoti | |
This patch fixes storage initialization on Gecko browsers by switching from using a background page to using a list of scripts. It remains a mystery why that should have any effect; the only hint is that browser.runtime.onInstalled does not fire when called from a script loaded in a background page. Signed-off-by: jahoti <jahoti@tilde.team> | |||
2021-06-21 | change horizontal line style to light green | Nicholas Johnson | |
2021-06-20 | add button styling | Nicholas Johnson | |
2021-06-19 | add import/export functionality | Wojtek Kosior | |
2021-06-18 | remove unused source files | Wojtek Kosior | |
2021-06-18 | update Asshole license text | Wojtek Kosior | |
2021-06-18 | when possible inject CSP as http(s) header using webRequest instead of ↵ | Wojtek Kosior | |
adding a <meta> tag | |||
2021-06-14 | change licenses | Wojtek Kosior | |
2021-05-14 | react to few bugs | Wojtek Kosior | |
2021-05-14 | support wildcard urls in settings | Wojtek Kosior | |
2021-05-13 | make extension work under IceCat 60 | Wojtek Kosior | |
2021-05-13 | utilize CSP for blocking | Wojtek Kosior | |
2021-05-13 | only allow a single injection payload for page, rely on script bags for ↵ | Wojtek Kosior | |
complex payloads | |||
2021-05-12 | rename "bundles" to "bags" | Wojtek Kosior | |
2021-05-12 | use unique hashes when smuggling whitelist setting | Wojtek Kosior | |
2021-05-12 | fix bug when saving page/bundle | Wojtek Kosior | |
2021-05-12 | stop using js modules | Wojtek Kosior | |